Strategies for Managing Vendor and Third Party Risk

Banker Resource November 26, 2013 — 1,206 views

The Office of the Comptroller of the Currency has become the first main banking regulator that has issued an update on the guidelines of third party risks. Other federal bank regulators are expected to follow in the lead of the OCC’s guidelines. This now means that banks must prepare for greater scrutiny of their third party and vendor management programs. The freshly updated guidelines have quite a few specified areas which place banks in a position where they need to improve their vendor management programs regarding third party relations.

This new guidance system can be useful to banks and non-bank lenders with regard to the different things that they need to deliberate in order to create a healthy and strong vendor management policy. The OCC has identified the increase of complexity and significance in these relationships and raises the issue that the banks management systems cannot keep pace with development. These deficiencies in the risk management process that have been identified are the failure to assess and understand the risks and costs of these third-party relationships and also failure to preform satisfactory monitoring. It also pointed out that banks were entering into informal agreements without contracts and entering into contracts that could be detrimental to the bank and its customers.

OCC Requirements

The OCC requires banks to take up risk management processes that correspond to the risk and complexity level of the third party relationships. The OCC has demarcated an effective third party risk management process to be one that follows a continuous life cycle throughout all relationships and should also incorporate these points:

- Managing the relationship by developing an effective plan for the risk management process. Such plans are always helpful but become necessary when a bank has to consider contracts with a third party that involves critical activities.

- Selecting the third party with careful consideration and after conducting a review helps the bank to ensure that they are selecting the right third party and to understand the risks of the relationship before they sign the contract.

- Negotiating to develop a contract that has clear definitions and explanation of what is expected as responsibilities of the third party. This limits the bank’s liability and ensures the contract is enforced.

- To make the bank essentially able to manage the risk involved, ongoing monitoring is essential of the third party relationship.

- It is also essential for a bank to create a contingency plan to ensure that the bank can transition activities to another third party when required.

- The bank needs to assign clear roles for responsibility to manage third party relationships and to integrate third party risk management processes with the bank’s enterprise risk management framework.

- Proper documentation, reporting and also conducting intermittent independent reviews of the risk management process. This enables a banks accountability, monitoring, risk management and to assess whether the process is aligned with the banks overall strategy.

The guidance from the OCC discusses each of these specific points in greater detail with extensive discussions on how banks need to go ahead with their third party strategies.